Simple example of passing Splunk search results to...

jburman123 · ‎07-31-2014

The example provided by SPLUNK for an R script uses the addr.r script that does not use SPLUNK search results. Can you provide a very simple example of a R script that ingests SPLUNK search results and passes them to the script and displays the result?

yuanliu · ‎08-13-2014

I used Splunk search to feed FFT here: http://answers.splunk.com/answer_link/149675/.

A really basic test to understand input from Splunk is to run

| r "output=input"

input is a data frame composed of your search results as well as some Splunk implicit fields. (Data frame is the biggest revelation to me, thanks to @rfujara_splunk.) All fields are prefixed with "X". For example, X_time is Splunk _time, X_span is Splunk _span if you used timechart or bucket; if your search outputs a field host, R sees it as Xhost.

output is the data frame to send back to Splunk. Each component name is used as a field name by Splunk.

Simple example of passing Splunk search results to an R script and displaying the results?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation